http://www.secuobs.com Observatoire de la securite Internet fr webmaster@secuobs.com 2012-06-28 20:30:30 - FireEye Malware Intelligence Lab : In the first part of this series, I talked about a few botnets that are using random domain generation algorithms in order to conceal their Command and Control CnC servers But that's not the only type of evasion being used by advanced malware There are other types of polymorphism as well Some of the polymorphic strains found in these malware are as follows Random domain generation as I talked about in Part 1 Random URL IMAGE IMAGE http://www.secuobs.com/revue/news/384454.shtmlhttp://www.secuobs.com/revue/news/384454.shtml Secuobs.com : 2012-06-25 22:11:43 - FireEye Malware Intelligence Lab - When news of the Flame SkyWiper malware hit the headlines last month, the world went into a frenzy Flame was immediately hailed as the world s most sophisticated malware While security researchers will surely be talking about Flame for years to come, FireEye has since made another discovery regarding Flame s command and control CNC behavior it appears that the Flamer sKyWIper malware s callback has recently changed Specifically, we have evidence that the malware is likely proxy-aware and can IMAGE IMAGE http://www.secuobs.com/revue/news/383675.shtmlhttp://www.secuobs.com/revue/news/383675.shtml Secuobs.com : 2012-06-21 22:41:40 - FireEye Malware Intelligence Lab - One of the primary aims of an anti-virus AV engine is to monitor all process activity while malware, on the other hand, wants to avoid detection by AV The philosophy of most rootkits is to run silent and deep, which also aligns with the goals of advanced malware as it evades detection by most enterprise class host-based security solutions HBSS and AV So how does malware evade detection when starting new rogue processes Easy it directly attacks IMAGE IMAGE http://www.secuobs.com/revue/news/383027.shtmlhttp://www.secuobs.com/revue/news/383027.shtml Secuobs.com : 2012-06-19 14:35:03 - FireEye Malware Intelligence Lab - This marks my first week as board chairman at FireEye, and I m tremendously excited to be joining the company FireEye has talented people and brilliant solutions that meet a critical need in the market, and has been growing rapidly as a result With these fundamental assets and upcoming innovations, the prospects as we move forward are very promising You only need to look at the news of the past week or two to see some IMAGE IMAGE http://www.secuobs.com/revue/news/382388.shtmlhttp://www.secuobs.com/revue/news/382388.shtml Secuobs.com : 2012-06-18 19:22:58 - FireEye Malware Intelligence Lab - The malware threat landscape is changing very fast New and improved malware are hitting the attack surface on a daily basis No wonder advanced malware like to operate in stealth mode They try to change their behaviors, shapes and patterns as much as they can do to fool their enemies Not only do we need a signature-less technology to handle such malware, but we also need a news resource continuously talking about these emerging threats, and this is where a series of blogs on this topic comes into play IMAGE IMAGE http://www.secuobs.com/revue/news/382209.shtmlhttp://www.secuobs.com/revue/news/382209.shtml Secuobs.com : 2012-06-16 00:22:49 - FireEye Malware Intelligence Lab - There has been a growing realization by the global cyber security community that cybercriminals of all shapes, sizes, and motivations are getting a lot better at finding and exploiting zero-day attacks Furthermore, while the bulk of these attacks still target the Microsoft family of operating systems, increasingly attacks are being targeted at the Unix Linux family of operating systems Correspondingly, there is also more recent awareness of the extent of Advanced Persistent Threat APT rootkits that IMAGE IMAGE http://www.secuobs.com/revue/news/381892.shtmlhttp://www.secuobs.com/revue/news/381892.shtml Secuobs.com : 2012-05-30 14:08:19 - FireEye Malware Intelligence Lab - As widely reported elsewhere, the Flamer sKyWIper malware has largely been attributed to yet another unknown APT actor, which appears to target organizations in the Middle East Rather than speculate on attribution or repeat the initial analysis provided by CrySyS Lab, this blog post will focus on additional indicators of compromise that have yet to be documented elsewhere IMAGE IMAGE http://www.secuobs.com/revue/news/378495.shtmlhttp://www.secuobs.com/revue/news/378495.shtml Secuobs.com : 2012-05-24 18:27:40 - FireEye Malware Intelligence Lab - In our second half 2H of 2011 Advanced Threat Report, we provided compelling evidence that illustrated a possible correlation between an increase in email-based attacks and national holidays Continuing this theme, let s widen our dataset to include all worldwide customers and focus on the corresponding statistics collected year-to-date for 2012 To be clear, these statistics reflect the number of malicious attachments seen after initial SPAM and anti-virus filtering across our customer deployments who share intelligence back to us IMAGE IMAGE http://www.secuobs.com/revue/news/377544.shtmlhttp://www.secuobs.com/revue/news/377544.shtml Secuobs.com : 2012-04-13 16:45:09 - FireEye Malware Intelligence Lab - Blogging about crimeware commodity malware that will infect victims in a purely opportunistic fashion is an easy thing to do ethically, as the victim often times does not add much value to the story Also, there are so many copies of the malware publicly available that talking about the threat does not compromise your collection source, and in general, we try to avoid naming names for the sake of shaming anyone In the case of IMAGE IMAGE http://www.secuobs.com/revue/news/369817.shtmlhttp://www.secuobs.com/revue/news/369817.shtml Secuobs.com : 2012-04-10 07:40:59 - FireEye Malware Intelligence Lab - By packing their malicious executable, malware authors can be sure that when these malicious executables are opened in a disassembler they will not show the correct sequence of instructions, thus making malware analysis a lengthier and more difficult process One method to locate the address of the code s first instruction before it was packed, also known as the Original Entry Point OEP of a file, is to apply the break point on the APIs that IMAGE IMAGE http://www.secuobs.com/revue/news/369050.shtmlhttp://www.secuobs.com/revue/news/369050.shtml Secuobs.com : 2012-04-03 07:44:52 - FireEye Malware Intelligence Lab - Some of you may be aware that Microsoft this week went after a group of botnets These botnets were created from the famous Zeus toolkit This effort was part of so called Operation B-71 When I heard this news, the first thing I wanted to find out was if these botnets have been on FireEye's radar The answer is yes Based on data collected from the FireEye MPC Malware Protection Cloud , we have been detecting IMAGE IMAGE http://www.secuobs.com/revue/news/367712.shtmlhttp://www.secuobs.com/revue/news/367712.shtml Secuobs.com : 2012-02-14 09:42:31 - FireEye Malware Intelligence Lab - FireEye s new Advanced Threat Report for the second half of 2011, released today, is not your typical threat report The threats we cover aren t the known malware and spam you ll find published in reports from traditional security vendors Instead, what you ll find is insight into advanced threats that have successfully evaded traditional lines of defense, including firewalls, IPS, gateways and antivirus Looking at shared threat data from global deployments of FireEye s Malware Protection Systems MPS , IMAGE IMAGE http://www.secuobs.com/revue/news/357619.shtmlhttp://www.secuobs.com/revue/news/357619.shtml Secuobs.com : 2011-08-31 12:46:15 - FireEye Malware Intelligence Lab - Our new 1H 2011 Advanced Threat Report is out It is our inaugural report and I think you will find it interesting because it is uniquely focused on the new and dynamic threats We have thousands of appliances protecting organizations around the world, and they are deployed _behind_ firewalls, intrusion prevention systems, antivirus and Web gateways So, the threat data we reviewed in this report are the _successful_ malware attacks breaking through traditional defenses This IMAGE IMAGE http://www.secuobs.com/revue/news/326219.shtmlhttp://www.secuobs.com/revue/news/326219.shtml Secuobs.com : 2011-08-10 07:49:04 - FireEye Malware Intelligence Lab - Rustock's old buddy Harnig is back in action Harnig is considered to be a very wide spread pay-per-install malware whose sole purpose is to infect PCs and then download and install a variety of other malware on the system for a small fee There has been a long term relationship between the Harnig and Rustock botnets For the last two years or so, Rustock has almost always been seen being spread through Harnig I reported IMAGE IMAGE http://www.secuobs.com/revue/news/322170.shtmlhttp://www.secuobs.com/revue/news/322170.shtml Secuobs.com : 2011-06-22 20:45:40 - FireEye Malware Intelligence Lab - The recent Adobe Flash 0 Day CVE-2011-2110 is a classic case of an old malware that has used new 0 days as a vector to spread itself How and why I will explain shortly, first a little detail about the exploit itself The exploit is targeting a vulnerability in the Action Script Virtual machine according to our good friends at Shadowserver The swf file takes an info parameter and a successful exploitation leads to the IMAGE IMAGE http://www.secuobs.com/revue/news/312934.shtmlhttp://www.secuobs.com/revue/news/312934.shtml Secuobs.com : 2011-04-08 23:32:55 - FireEye Malware Intelligence Lab - It looks like Koobface has started to lose interest in Facebook We first observed this dramatic change around February this year All of a sudden, we saw bot herders are no longer instructing zombies to post fake messages to compromised Facebook accounts Our first impression was that it's just a temporarily move but a continued silence for about two months is not something that can be ignored Last time we saw Koobface trying to pollute IMAGE IMAGE http://www.secuobs.com/revue/news/297228.shtmlhttp://www.secuobs.com/revue/news/297228.shtml Secuobs.com : 2011-03-24 21:45:16 - FireEye Malware Intelligence Lab - Have you ever wondered how malware spreads, why there are so many compromised machines out there talking back to their CnC's There must be a medium, a vehicle if you may, to get a Zeus, a Rogue AV, a Rustock not anymore or any new malware onto a box Have you ever wondered what this vehicle could be If you answered exploits, then your answer is right Exploits, Pay Per Installs, Social Engineering are IMAGE IMAGE http://www.secuobs.com/revue/news/293994.shtmlhttp://www.secuobs.com/revue/news/293994.shtml Secuobs.com : 2011-03-22 22:24:55 - FireEye Malware Intelligence Lab - Rustock is not the only botnet which suffered from the recent take down by Microsoft It appears that Harnig aka Piptea , a close relative to Rustock, is retreating as well There is no evidence that someone is trying to shutdown Harnig It looks like a decision made solely by the bot herders Why I'll talk about it shortly Harnig is considered to be a very wide spread pay per install malware whose sole purpose is IMAGE IMAGE http://www.secuobs.com/revue/news/293438.shtmlhttp://www.secuobs.com/revue/news/293438.shtml Secuobs.com : 2011-03-19 22:24:43 - FireEye Malware Intelligence Lab - If you've been living under a rock, you might have missed that the largest spambot, Rustock, was recently taken down in a collaborated, coordinated way All parties involved were bound by a sealed federal lawsuit against the John Does involved, but now that the case has been unsealed, it's time to talk about a few of the details Why has Rustock been so successful for so long How has it managed to stay off the IMAGE IMAGE http://www.secuobs.com/revue/news/292837.shtmlhttp://www.secuobs.com/revue/news/292837.shtml Secuobs.com : 2011-03-17 02:26:11 - FireEye Malware Intelligence Lab - Adobe recently reported the existence of a new zero day flaw in flash player which, according to them, can affect flash player 10215233 and earlier versions Soon after, additional news broke out showing that this flaw had been used as part of limited targeted attacks The initial attacks used a swf file embedded inside an MS excel file to lure users into clicking it Once a user opens this excel file, the flash file embedded IMAGE IMAGE http://www.secuobs.com/revue/news/292189.shtmlhttp://www.secuobs.com/revue/news/292189.shtml Secuobs.com : 2011-02-03 05:34:39 - FireEye Malware Intelligence Lab - A follow-up to my Julia's talk at the 27th Chaos Computer Congress OMG-WTF-PDF Corrections, updates, and reactions IMAGE IMAGE http://www.secuobs.com/revue/news/282639.shtmlhttp://www.secuobs.com/revue/news/282639.shtml Secuobs.com : 2011-01-28 07:19:25 - FireEye Malware Intelligence Lab - I often overhear talk about so called next generation anti vm, sandnet and debugger techniques and their widespread use by modern malware, and how this is hurting modern day automated malware analysis and detection Well I find the facts are quite different Most of these claims don't provide good evidence and I consider them little more than an attempt to create FUD Fear, Uncertainty and Doubt The reality is that after the good old days IMAGE IMAGE http://www.secuobs.com/revue/news/281348.shtmlhttp://www.secuobs.com/revue/news/281348.shtml Secuobs.com : 2010-12-15 07:17:13 - FireEye Malware Intelligence Lab - This is the second article in a row where I am going to disclose the presence of another new backdoor malware I have recently seen this backdoor emerging on the threat landscape while investigating some targeted attacks I named this malware Leouncia Why I'll make it clear later Like Vinself, Leouncia is a powerful backdoor that is designed to take complete control over the infected machine In terms of code base, both malware look very IMAGE IMAGE http://www.secuobs.com/revue/news/271844.shtmlhttp://www.secuobs.com/revue/news/271844.shtml Secuobs.com : 2010-12-15 07:17:13 - FireEye Malware Intelligence Lab - Note This post is continuation of my previous article Let's dive deeper into the internals of this powerful backdoor program 1 Protocol Decryption Leouncia's C C payload decryption consists of two major phases The first part is the formulation of a dynamic permutation table using a variable 128 bit key This permutation table is further used to decrypt the actual payload Let me explain it step by step 11 Table Construction The main ingredient of this IMAGE IMAGE http://www.secuobs.com/revue/news/271843.shtmlhttp://www.secuobs.com/revue/news/271843.shtml Secuobs.com : 2010-11-24 04:01:40 - FireEye Malware Intelligence Lab - I recently came across a new piece of malware found to be involved in a limited targeted attack Initial exploration revealed it to be a powerful backdoor with the capacity to provide an attacker complete control over the infected system What's happening at the moment A few weeks ago, we saw a powerful backdoor Pirpi exploiting the IE 0-day as part of some targeted attacks Now comes Winself The emergence of new and powerful backdoors IMAGE IMAGE http://www.secuobs.com/revue/news/267091.shtmlhttp://www.secuobs.com/revue/news/267091.shtml Secuobs.com : 2010-11-05 06:32:18 - FireEye Malware Intelligence Lab - It was just a few days ago when Symantec disclosed a new 0-day vulnerability in Microsoft's Internet Explorer versions 6, 7, and 8 They found at least one malware called 'BackdoorPirpi' that is actively exploiting this vulnerability in targeted email attacks posing as hotel reservation notifications Here at FireEye labs, we have identified another type of Modern Malware called 'Hupigon' exploiting the same IE zero-day vulnerability This malware looks to be more successful reliable at infecting IMAGE IMAGE http://www.secuobs.com/revue/news/262650.shtmlhttp://www.secuobs.com/revue/news/262650.shtml Secuobs.com : 2010-10-28 05:52:05 - FireEye Malware Intelligence Lab - , it's the size of the fight in the dog that matters Bredolab is not giving up This morning, I found two more active CnC domains, not only alive but issuing new commands as well These two domains are upload-goodnet and lodfewpleasercom The Bredolab variant communicating to upload-goodnet is especially important as almost all AVs are missing it at the moment Only 1 AV out of total 42 AVs available on VirusTotal was able IMAGE IMAGE http://www.secuobs.com/revue/news/260506.shtmlhttp://www.secuobs.com/revue/news/260506.shtml Secuobs.com : 2010-10-27 07:33:22 - FireEye Malware Intelligence Lab - Today started with some good news The mega botnet known as Bredolab has been taken down Kudos to the Dutch police and involved ISPs Over the years, Bredolab evolved into a powerful pay per install network The bot herders behind it have shown great expertise in spreading their core malware using different infection vectors such as drive by downloads and social engineering The sole purpose of Bredolab was to spread itself as aggressively as possible IMAGE IMAGE http://www.secuobs.com/revue/news/260203.shtmlhttp://www.secuobs.com/revue/news/260203.shtml Secuobs.com : 2010-10-21 21:48:23 - FireEye Malware Intelligence Lab - We are seeing a trend where new banking trojans are emerging on the threat landscape very rapidly First came Bugat followed by Carberp Unfortunately, it is time to meet 'Feodo' Since august of this year when FireEye's MPS devices detected this malware in the field, we have been monitoring this banking trojan very closely In many ways, this malware looks similar to other famous banking trojans like Zbot and SpyEye Although my analysis says that IMAGE IMAGE http://www.secuobs.com/revue/news/259015.shtmlhttp://www.secuobs.com/revue/news/259015.shtml Secuobs.com : 2010-10-10 05:00:13 - FireEye Malware Intelligence Lab - Recently guys from Arbor networks and Trend micro published very good analysis about a new DDOS botnet being dubbed as Avzhan This name was taken from one of the callback domain, avzhan1332org, being used by this botnet Surprisingly callback domains like avzhan1332org and avzhan332org are not something new These domains are being used by another DDOS malware since 2008 and 2009 In FireEye these malware are recognized as DDOSDATCK and DDOSBYCC Is Avzhan DATCK'S new IMAGE IMAGE http://www.secuobs.com/revue/news/255617.shtmlhttp://www.secuobs.com/revue/news/255617.shtml Secuobs.com : 2010-10-06 17:02:40 - FireEye Malware Intelligence Lab - There has been a significant drop in worldwide SPAM levels observed during the last month or so M86 thinks its due to Rustock, the world's largest spam botnet They say that due to some unknown reasons, Rustock suddenly stopped sending spam McAfee has a different point of view, according to them its due to recent attempts to shutdown PushdoD, another famous spam botnet Its clear that SPAM levels are dropping, so lets try to find IMAGE IMAGE http://www.secuobs.com/revue/news/254731.shtmlhttp://www.secuobs.com/revue/news/254731.shtml Secuobs.com : 2010-09-24 02:46:12 - FireEye Malware Intelligence Lab - In my last article, I discussed how tricky it can be to track botnets through their command and control servers My last article was more focused on the false negatives missing detection aspect of this approach Today I will discuss the false positive issue in detail Tracking botnets through the command and control servers requires a few assumptions One such assumption is that every CnC is a bad resource or is at least distinguishable from IMAGE IMAGE http://www.secuobs.com/revue/news/251240.shtmlhttp://www.secuobs.com/revue/news/251240.shtml Secuobs.com : 2010-09-17 00:30:25 - FireEye Malware Intelligence Lab - The common DownloadURLToFileA some EXE file and WinExec it shellcode in use today hasn't changed much in eight years Probably because everyone just copies the code out of Metasploit for their exploits This is a byte by byte analysis of that shellcode IMAGE IMAGE http://www.secuobs.com/revue/news/246454.shtmlhttp://www.secuobs.com/revue/news/246454.shtml Secuobs.com : 2010-09-17 00:30:25 - FireEye Malware Intelligence Lab - There are two general ways a complex problem can be solved, using a good approach or a bad one The only good thing about the bad approach is that it will usually be simpler to understand and implement, but in the long run one will find that shortcuts don't always work The good thing with most humans is that they learn from their mistakes and move forward This is what we are seeing happen at IMAGE IMAGE http://www.secuobs.com/revue/news/246453.shtmlhttp://www.secuobs.com/revue/news/246453.shtml Secuobs.com : 2010-09-17 00:30:25 - FireEye Malware Intelligence Lab - I am sure If historians ever write about botnet take downs, they wont forget to mention the pushdo botnet It's the third time in last two years or so that there has been an attempt to take down this botnet The first attempt was back in Nov 2008 when the McColo ISP shutdown crippled Pushdo along with other spam botnets like Srizbi and Rustock The second attempt was earlier this year when FireEye got a IMAGE IMAGE http://www.secuobs.com/revue/news/246452.shtmlhttp://www.secuobs.com/revue/news/246452.shtml Secuobs.com : 2010-07-26 23:52:40 - FireEye Malware Intelligence Lab - The malware landscape has always been very dynamic New threat types and malware always replace the old ones The prevalence of a particular malware family at any given time is dependent upon multiple factors like the business model, the efficiency of the person s driving this malware, and sometimes, actions by the anti malware industry For example, due to efforts of the research community, Storm 10 and Srizbi, which were once the world's largest botnets, are IMAGE IMAGE http://www.secuobs.com/revue/news/244034.shtmlhttp://www.secuobs.com/revue/news/244034.shtml Secuobs.com : 2010-06-21 14:36:53 - FireEye Malware Intelligence Lab - Acrobat will parse some very badly formed PDF files It's possible to remove almost everything from a PDF file, and still launch Javascript A minimum of 58 bytes are all that is required to execute Javascript within Acrobat IMAGE IMAGE http://www.secuobs.com/revue/news/233455.shtmlhttp://www.secuobs.com/revue/news/233455.shtml Secuobs.com : 2010-06-19 03:28:26 - FireEye Malware Intelligence Lab - In March earlier this year, Spanish police arrested three men linked to the Mariposa botnet After this move it was widely believed that the massive botnet had shutdown From what I have seen over the last week, that is not the case Some Mariposa CnCs are still active and spreading The screen shot below is a snapshot of a Mariposa sample ad7a5b6755089ba83001f224a7067ec1 communicating to its CnC On this occasion it received a command to spread IMAGE IMAGE http://www.secuobs.com/revue/news/233060.shtmlhttp://www.secuobs.com/revue/news/233060.shtml Secuobs.com : 2010-06-05 03:48:16 - FireEye Malware Intelligence Lab - Neosploit encodes into the URL, various bits of version information about a victim's browser and OS It's using Java exploits, and is spread via malicious advertisements IMAGE IMAGE http://www.secuobs.com/revue/news/228821.shtmlhttp://www.secuobs.com/revue/news/228821.shtml Secuobs.com : 2010-04-29 01:51:47 - FireEye Malware Intelligence Lab - I got very excited when I heard that recently Steven Adair from Shadowserver has spotted a slightly modified Storm variant live in action But I was little surprised when I read the details of this alleged new variant This new variant a modified version of actual storm was discovered back in 2008 and I got a chance to write about it in quite a detail From my article written back in 2008 Another interesting nugget IMAGE IMAGE http://www.secuobs.com/revue/news/217116.shtmlhttp://www.secuobs.com/revue/news/217116.shtml Secuobs.com : 2010-04-16 09:35:52 - FireEye Malware Intelligence Lab - The recent discovery of a 0-day design flaw in the 'Java Web Start' module has opened new avenues for malware drive by attacks This flaw was exposed by Tavis Ormandy a few days back and it did not take a long time for bad guys to start using the proof of concept code for real exploitation I have been reading about the exploit details for the last few days, but very few details were available IMAGE IMAGE http://www.secuobs.com/revue/news/212913.shtmlhttp://www.secuobs.com/revue/news/212913.shtml Secuobs.com : 2010-03-20 02:06:03 - FireEye Malware Intelligence Lab - A reference table for Windows API Function Name Hashes, used in many shellcode examples Also, daylight saving time is dumb IMAGE IMAGE http://www.secuobs.com/revue/news/203564.shtmlhttp://www.secuobs.com/revue/news/203564.shtml Secuobs.com : 2010-03-03 22:43:47 - FireEye Malware Intelligence Lab - The Yes Exploit System is encrypts its Black Energy -like components The crypto design used has a fatal flaw, which allows for someone to completely recover the plaintexts, without knowing the keys, or algorithm used, or even any information at all except for a small amount of known plaintext IMAGE IMAGE http://www.secuobs.com/revue/news/197748.shtmlhttp://www.secuobs.com/revue/news/197748.shtml Secuobs.com : 2010-02-26 09:38:41 - FireEye Malware Intelligence Lab - In my last post, I talked about some of the MITB attacks currently being used by modern banking trojans like URLZone and Zeus Zbot Although most modern-day banks have in place various security measures like multi-factor authentication to prevent online theft, based on my last article, we can see that most of these techniques are not enough to prevent MITB attacks These techniques are mostly there to make the credentials theft difficult, but not impossible Today IMAGE IMAGE http://www.secuobs.com/revue/news/195848.shtmlhttp://www.secuobs.com/revue/news/195848.shtml Secuobs.com : 2010-02-25 00:49:15 - FireEye Malware Intelligence Lab - FireEye has a booth at RSA2010 Expo Julia is going to the RSA Expo, and is giving a talk at PH-Neutral in May IMAGE IMAGE http://www.secuobs.com/revue/news/195308.shtmlhttp://www.secuobs.com/revue/news/195308.shtml Secuobs.com : 2010-02-19 02:32:46 - FireEye Malware Intelligence Lab - Man in the Browser aka MITB is a new breed of attacks whose primary objective is to spy on browser sessions mostly banking and in that process intercept and modify the web page contents transparently in the background In a classic MITB attack, It's a very likely that what the user is seeing on his her browser window is not something which the actual server sent Similarly, what server sees on the other end might not IMAGE IMAGE http://www.secuobs.com/revue/news/193366.shtmlhttp://www.secuobs.com/revue/news/193366.shtml Secuobs.com : 2010-01-22 10:48:52 - FireEye Malware Intelligence Lab - It's very rare that we researchers get a chance to explore the inner workings of a botnet command and control server Detailed insight into the botnet server or command component can give us valuable information about the motives of the botnet and possibly the bad guys behind it But granting access to these command and control servers often depends on the will of the hosting providers So what happened in this case Recently, while I IMAGE IMAGE http://www.secuobs.com/revue/news/184382.shtmlhttp://www.secuobs.com/revue/news/184382.shtml Secuobs.com : 2010-01-15 09:44:22 - FireEye Malware Intelligence Lab - Since around October 2009, Neosploit¹, a black-market exploit toolkit, has been fabricating PDF files in a slightly new way, but in a way which is difficult for many parsers to analyze for maliciousness In summary, all of the metadata in a PDF is accessible from the Acrobat Javascript environment And this metadata is being used for obscuring embedded Javascript code A PDF parser would need to fill in all the document objects with the correct IMAGE IMAGE http://www.secuobs.com/revue/news/181897.shtmlhttp://www.secuobs.com/revue/news/181897.shtml Secuobs.com : 2009-11-16 23:28:43 - FireEye Malware Intelligence Lab - If you ve read our last couple blogs, you know that FireEye recently hijacked the Ozdok Mega-D botnet Smashing the Mega-d Ozdok botnet in 24 hours We registered some C C backup domains and worked with registrars and hosting providers to have the primary domains and systems taken down We directed the Ozdok bots to a sinkhole and watched the connections come pouring in After about 5 days we saw 487,430 unique IP addresses connecting to us It s difficult IMAGE IMAGE http://www.secuobs.com/revue/news/161339.shtmlhttp://www.secuobs.com/revue/news/161339.shtml Secuobs.com : 2009-11-06 19:23:59 - FireEye Malware Intelligence Lab - In my previous article, I talked about the Ozdok command and control architecture and its fallback mechanisms in great detail That article was an attempt to highlight different approaches to take down this botnet theoretically But when it comes to the actual shutdown, it's far more complex than just finding out the command and control server coordinates and fallback mechanisms An actual shut down attempt requires someone to take the initiative and start a combined IMAGE IMAGE http://www.secuobs.com/revue/news/158311.shtmlhttp://www.secuobs.com/revue/news/158311.shtml Secuobs.com : 2009-11-05 14:58:20 - FireEye Malware Intelligence Lab - Just a day before Patch Tuesday, when Microsoft is going to release couple of patches for DirectShow vulnerabilities including MSVIDCTRL 0-day , IE Internet Explorer users are hit by another surprise A new 0-day vulnerability has been identified in MS office web component and is currently being exploited via the IE scripting interface There is no patch available at the moment but MS has come up with a workaround One of the malicious URL which IMAGE IMAGE http://www.secuobs.com/revue/news/157787.shtmlhttp://www.secuobs.com/revue/news/157787.shtml Secuobs.com : 2009-11-05 14:58:20 - FireEye Malware Intelligence Lab - Wait beep beep back up for a second, Alex I heard 3fn was brought down by the FTC That would be correct On June 4th the FTC served a takedown notice that essentially dropped 3fn aka Triple Fiber Network , Pricewert, APX Telecom, APS Communications off the Internet I was approached by law enforcement looking for evidence of malicious activities, and luckily, I was in the midst of writing up an article for my Bad IMAGE IMAGE http://www.secuobs.com/revue/news/157786.shtmlhttp://www.secuobs.com/revue/news/157786.shtml Secuobs.com : 2009-11-05 14:58:20 - FireEye Malware Intelligence Lab - Flash has it's own version of ECMAScript called Actionscript, and whoever wrote this new 0-day, finally did something new by implementing the heap-spray routine with Actionscript inside of Flash IMAGE IMAGE http://www.secuobs.com/revue/news/157785.shtmlhttp://www.secuobs.com/revue/news/157785.shtml Secuobs.com : 2009-11-05 14:58:20 - FireEye Malware Intelligence Lab - It looks like Zero-day discoveries for the month of July are not quite over yet I have already talked about two vulnerabilities inside MS products earlier this month July 7th 2009 Who is Exploiting the Windows 0-day MSVIDCTLDLL July 14th 2009 Who is Exploiting the Office Web Components 0-day Then came the 3rd one inside Mozilla FireFox 35, almost at the exact same time Sadly enough, this article is about another 0-day fourth in IMAGE IMAGE http://www.secuobs.com/revue/news/157784.shtmlhttp://www.secuobs.com/revue/news/157784.shtml Secuobs.com : 2009-11-05 14:58:20 - FireEye Malware Intelligence Lab - The new Flash 0-day has opened multiple avenues for malware authors In my last article I showed how this vulnerability is being exploited via the PDF reader's support for SWF files However, this vulnerability can just as easily be exploited in a standard drive-by fashion purely in Flash as well This is precisely what has started to happen Here is the snippet of the javascript which is actively targeting this 0-day vulnerability This exploit successfully IMAGE IMAGE http://www.secuobs.com/revue/news/157783.shtmlhttp://www.secuobs.com/revue/news/157783.shtml Secuobs.com : 2009-11-05 14:58:20 - FireEye Malware Intelligence Lab - In the third part of this series, I'm going to discuss the command and control structure of another famous botnet, Clampi aka ilomo Clampi is all about data stealing and is famous for its anti-reversing and evasion techniques The financial damage this information stealer can cause is evident from the fact that it has recently been publicly disclosed of a cyber theft of more than 150,000 Notorious isn't it Like the first two parts where IMAGE IMAGE http://www.secuobs.com/revue/news/157782.shtmlhttp://www.secuobs.com/revue/news/157782.shtml Secuobs.com : 2009-11-05 14:58:20 - FireEye Malware Intelligence Lab - A leap into the unknown is a series which will discuss some lesser known malware, that has a reasonably good command and control structure Most of this malware might not be totally new to the AVs, but they were never considered for more than just creating a signature Little or no effort has been made to disclose the motivation behind creating this malware, the CnC architecture, or the people behind it These articles are not IMAGE IMAGE http://www.secuobs.com/revue/news/157781.shtmlhttp://www.secuobs.com/revue/news/157781.shtml Secuobs.com : 2009-11-05 14:58:20 - FireEye Malware Intelligence Lab - Ok, I admit this blog post is not about our childhood TV friend, Gumby Instead it's about a much more sinister character, Gumblar its malware henchmen Originally making its debut back in March April of this year see here , here and here and then suddenly it went quiet for a few months, until recently Yes, Gumblar is back with a vengeance still causing problems for it's unsuspecting victims The primary delivery mechanism is IMAGE IMAGE http://www.secuobs.com/revue/news/157780.shtmlhttp://www.secuobs.com/revue/news/157780.shtml Secuobs.com : 2009-11-05 14:58:20 - FireEye Malware Intelligence Lab - Donbot is primarily a spam bot, one of the few spam botnets whose growth was not hampered by the McColo shutdown earlier this year As a matter of fact, the sudden shut down of big spammers like Srizbi and Rustock helped Donbot climb the spam botnet rankings In this article I am going discuss different aspects of Donbot, first as a malware and then in the later half I will try to shed some light IMAGE IMAGE http://www.secuobs.com/revue/news/157779.shtmlhttp://www.secuobs.com/revue/news/157779.shtml Secuobs.com : 2009-11-05 14:58:20 - FireEye Malware Intelligence Lab - Ozdok aka Mega-d is one of those botnets that has been very successful flying under the radar over the past few years Recent stats by Marshal TRACE show Ozdok is currently responsible for about 42pourcents of the world's overall SPAM The question that arises again is who are the guys controlling this botnet, and more importantly from where I recently conducted a detailed study of Ozdok's active command and control servers There are two main IMAGE IMAGE http://www.secuobs.com/revue/news/157778.shtmlhttp://www.secuobs.com/revue/news/157778.shtml